Which Drives Leadership: Compliance or Strategy?
Leadership is crucial to a successful privacy program. It is leadership that engages senior executives, inspires an extended team and provides hope to advocates and confidence to regulators.
But what drives leadership in 2014? Is it the need to have a highly compliant organization in an era where compliance is very complex? Or is a strategic approach to information governance when data moves from being a business facilitator to the driver of innovation?
Over the past two years, there has been a debate on which mission is dominant and therefore should drive choices about the background and mindset of the privacy leader and team. If privacy is a mature compliance function, similar to other compliance functions, it should be driven by the skills sets necessary for governing rules. If, on the other hand, compliance follows from a data strategy that says governance should be a robust partner to data science, the skill sets shift significantly, and that should be reflected in leadership.
A review of where we have been in the field might be useful.
For those of us who have been doing privacy for20 years or longer, it was originally about brand. As my old boss at the TRW would say, “people will never love credit reporting, but they should say we are glad that TRW takes privacy seriously.” We started the TRW Consumer Advisory Council in 1993 with the objective of restoring confidence in the brand after a major public incident. Furthermore, privacy conferences in the early 1990s were dominated by executives from information intermediaries—credit bureaus, verification services and list compilers—that had to defend and differentiate brands. Compliance was the domain of lawyers who managed the Fair Credit Reporting Act and data registrations in Europe.
The emergence of the Internet expanded the number of programs that needed privacy professionals. Brand, while still important, became second to a strategic alignment of privacy with business process and compliance to match new, or newly recognized, obligations. Privacy teams wrote ever-longer privacy notices, managed opt-out files and tried to understand the EU Directive. Privacy lawyers began to emerge from the broader field of technology law. Education became important as privacy professionals needed to broaden teams to include marketing experts and engineers. Privacy leaders were both evangelists and managers who could organize basic business processes
The new century brought a focus on compliance driven by the globalization of data and the California data breach law. The globalization of data meant compliance with laws in an increasing number of countries and the continuous drafting of legal instruments for data transfers.
The compliance side of privacy became king.
Law firms grew their privacy advising practices, and more companies looked to privacy lawyers to lead their programs. Legal compliance became a permanent and ever more complex organizational process. The privacy leader needed to be able to interpret the law, wrestle with conflicting processes and oversee the processes necessary to assure compliance.
However, as compliance was becoming the dominant theme, the data age was undergoing a sea change that I believe fundamentally changes the way we think about privacy leadership. Observational technologies migrated from the cyber world to the physical world driven by RFID, facial recognition and location technologies. Furthermore, our ability to use unstructured data and merge very different data sets for analysis became possible. The term Big Data was adopted, and the nature of privacy changed significantly.
We are seeing the reflection of these changes in regulatory agencies, their enforcement efforts and policy direction. Lawyers are being replaced by technologists, and those technologies are taking the lead in investigations.
The Article 29 Working Party (WP 29) paper on compatible purpose is an interesting illustration of change in the way agencies are looking at risk and reinterpreting requirements. It was WP 29’s first attempt to come to grips with the inevitable pull of Big Data and the legal restrictions related to purpose specification. In the end, the paper left the reader with a sense that the compatibility of purpose relates to fairness. Fairness in turn is dependent on a multi-variable analysis. There are no checklists. There are no highly detailed privacy notices to get a company off the hook. Instead, the organization is required to make judgments that balance many different values.
So this returns us to the question of privacy leadership in complex organizations.
Big Data becomes the strategic driver of innovation and future growth. The privacy leader becomes the policy strategist. The external discussion becomes a debate about appropriate uses and intangible risks. The brand, with commercial customers, regulators and individuals, becomes a function of the quality of contextual analysis and the ability to demonstrate that quality to all constituencies. The organization owns the risk it creates for others in using information to drive innovation and must, at the very least, stand ready to demonstrate how it mitigates that risk.
While compliance with law, regulation and public expectations is required, it becomes a compliance function that is very different from other compliance functions. It requires an understanding of those obligations but also requires an understanding of those obligations within the context of ever-changing research projects and applications of data.
We are already seeing a number of organizations making the transition to strategic information governance being the dominant theme of a privacy organization.
That doesn’t mean privacy teams can ignore reputation, communication, incident response, preference systems, etc. It means those tasks are in support of a governance program that creates guiderails for innovation and protects individuals from harms and insults to dignity that might come from that innovation. Whether one’s background is the law, engineering, theology or anthropology, the successful leader will lead on governance strategy.
Organizations that believe privacy is just another compliance program will be sitting ducks for strategic errors that will get in the way of innovation.
About the Author
Martin Abrams is the executive director of the Information Accountability Foundation, a new non-profit privacy think tank. He was formerly president of the Centre for Information Policy Leadership at Hunton & Williams LLP. He regularly works with data protection authorities to define future priorities. He led the project group that developed multi-layered notices and gained its acceptance from Working Party 29 of the European Commission, OECD and APEC. Abrams speaks and writes on information policy trend issues, and has led privacy seminars in Asia, Australia, Europe, North and South America. He is the 2008 winner of the International Association of Privacy Professionals Vanguard Award.